Apr 5, 2024 - Technology

The looming threat of opening Apple's app ecosystem

Illustration of arrow cursors aimed at Apple's logo.

Illustration: Shoshana Gordon/Axios

The U.S. Department of Justice's antitrust complaint against Apple could end up forcing the company to allow app downloads outside its official store.

Why it matters: An open app ecosystem could lead to more flexibility for developers, but also more malware-laced, malicious apps targeting iPhones.

Catch up quick: Last month, the DOJ and more than a dozen state attorneys general filed a civil antitrust lawsuit against Apple accusing it of maintaining a monopoly in the smartphone market.

  • Many of those claims focus on the App Store's requirements and rules for developers.
  • To participate in the App Store, developers split revenue with Apple, go through an extensive identity verification process, and abide by content and security requirements to operate in the store.
  • If a federal judge deems any of these policies anticompetitive, Apple could be forced to allow iPhone users to download apps outside the official store.

Between the lines: Apple argues that these policies create a safer environment free of most malicious apps, spyware and viruses.

  • By keeping its ecosystem tightly reviewed, the company says, it can more easily weed out apps created by cybercriminals and nation-state hackers to scam people or spy on their activities.
  • However, some developers have argued that Apple's walled-garden ecosystem also allows the company to impose noncompetitive payment practices and pushes competitors out of the store.

The big picture: European regulators recently forced Apple to start allowing sideloading on iPhones.

  • Last month, Apple started rolling out a notarization process where it scans all iOS apps, whether offered in the store or not, for signs of malware and other viruses.
  • Apps that pass the review then receive a signing certificate signifying to devices that they're safe to use.
  • To build apps, developers also have to join the official Apple Developer Program, which includes a verification process.

Threat level: Currently, sideloading is a much larger threat on open developer ecosystems, like Google's Android, Benjamin Adolphi, head of threat research at Norway-based mobile security firm Promon, told Axios.

  • Savvy attackers can still find ways to spread spyware or other malicious content on iOS. But those attacks are far less frequent, Adolphi said.
  • Earlier this year, an app impersonating password manager LastPass was able to bypass Apple's App Store controls.
  • A report from Promon released this year found that 93 of the top 100 downloaded App Store apps are susceptible to a so-called repackaging attack, where attackers modify an original app slightly and redistribute it on their own.

Zoom in: It's yet to be seen whether the changes to European App Store policies will be sufficient to meet new antitrust laws, Adolphi said.

  • Right now, the changes aren't substantial enough to drastically change the threat landscape, he added, but that will change if the company is forced to roll back even one of those policies.
  • "If one of them goes away, that's a problem," Adolphi said. "If they're still in that much control as they are now, I don't see a big threat right now."

The intrigue: Allowing sideloading on a device doesn't have to be an all-or-nothing proposition.

  • Experts say Apple could run a program similar to the EU notarization process in the U.S.
  • Third-party app stores that could be allowed to operate on U.S. iPhones would likely also have their own security requirements and assessments.
  • And Apple isn't the only company proactively working against malware-laced apps. Android said last fall that it would start scanning sideloaded apps for malware at the time of installation.

Yes, but: Apple argues that the best way to mitigate these threats is through its walled-garden system.

  • An Apple spokesperson pointed Axios to several company white papers about sideloading published in recent years.
  • One published last month says that Apple's notary process will account only for security threats and that the company can't review the content of sideloaded apps.
Go deeper